Network administrator liable for damages resulting from cyberattack

In the case at hand, a company in the oil and fuel sector—victim of a ransomware attack—sought compensation from its network administrator. The court granted the claim, holding the network administrator liable for the damages. This ruling is particularly relevant for understanding under what circumstances, and in what manner, an IT service provider must warn clients about security risks. The judgment highlights two key practical points:

• Uncertainty about the point of entry (i.e., how the attackers gained access to the network) does not necessarily preclude liability. If it is evident that the damage could have been prevented through network segmentation, stronger password policies, or a properly isolated backup system, this may suffice to establish liability.
• The content of the agreement partly determines the scope of the network administrator’s duty of care. Generally, a network administrator is expected to act proactively and explicitly warn the client about security risks. This duty to warn must not be taken lightly. The administrator must inform the client clearly, repeatedly, and emphatically about such risks. A single sentence in an email or the mere inclusion of optional security measures in a quote is typically insufficient.

For inquiries, please contact Jeroen van Helden, Attorney at law specializing in IT, Privacy & Cybersecurity.

Would you like to receive a monthly overview of updates and blog posts in your inbox? Subscribe to our newsletter!